1. TurkerHub is now TurkerView Forum!

    To better integrate the services & streamline user experience we've moved the forum to TurkerView's domain. From now on you'll only have to log in once across both services and you'll have access to all the features available on what used to be two different websites.

    If you notice any bugs please let us know!

    Dismiss Notice

CSRF Errors: Update & Explanation

Discussion in 'Requesters' started by Kariyushi Rao, Oct 23, 2018.

  1. Kariyushi Rao

    Kariyushi Rao A18NBQ046IR47F

    Messages:
    1
    Gender:
    Female
    Ratings:
    +8
    tl;dr the open-source platform Django requires cookies to be enabled in your browser in order to complete forms, a lot of researchers use oTree, which is built on the Django platform, and some Turkers are experiencing errors when encountering our forms

    Hey everyone,

    I just wanted to proactively reach out about a (feature? update?) of the open-source platform Django, which is causing some Turkers to encounter an error when they try to complete forms built on the Django platform. Django is just an open-source platform that lets people code website apps using Python. A lot of researchers (like me) use another open-source platform called oTree to build social science experiments, and oTree relies on Django code.

    Either more Turkers are disabling cookies (which is probably a good idea), or Django introduced or hardened the requirements for people to have cookies enabled in their browser in order to interact with a form. So, I'm getting some reports from Turkers that they're receiving a "CSRF Verification Failed" error asking them to enable cookies. Most of us using oTree don't care at all about cookies being enabled (we're not interested in tracking Turkers over time, especially without their consent, we're just interested in your responses to our specific experiment). But, it's not clear whether "breaking" the Django code so Turkers can keep cookies disabled will interact with other dependencies in our apps, so there doesn't seem to be an easy fix for the issue at the moment (at least not one that I am aware of, though I'm still looking for one).

    Anyway, I just wanted to proactively communicate that this error is the result of security requirements around Django forms (at least as far as I can tell), not anything related to my (or fellow oTree users') interest in tracking any information using browser cookies. If it were up to me, we would intentionally avoid dropping any cookies anywhere, ever.

    If anyone has suggestions, comments, or workarounds, feel free to DM me.

    Thanks,
    Kariyushi
     
    • Useful / Informative Useful / Informative x 7
    • Like Like x 1